Authority to Operate on AWS

Accelerating security and compliance certifications and authorizations.

The Authority to Operate (ATO) on AWS is an Amazon Web Services (AWS) Partner Network (APN) program which provides resources to solution providers running on AWS who need assistance in their pursuit of a compliance authorization. This includes the Federal Risk and Authorization Management Program (FedRAMP), Defense Federal Acquisition Regulation Supplement (DFARS), Payment Card Industry Data Security Standard (PCI DSS), Criminal Justice Information Services (CJIS), as well as many other compliance programs.

Are you a customer looking to access direct engagement and guidance? Learn more about how to expedite the authorization process for compliance programs like FedRAMP here. 

AWS Device Qualification


The ATO on AWS Program includes training in the AWS Security Automation and Orchestration (SAO) methodology and access to a detailed and customized action plan providing a blueprint to achieve your security and compliance goals, optimizing your cloud workloads, and improving your ability to meet your most demanding customers’ requirements.

The AWS Security Automation and Orchestration (SAO) program and methodology enables AWS customers and partners to constrain, track, and publish continuous risk treatments (CRT), configurations and assimilates DevOps routines continuous integration (CI), and continuous delivery (CD) into a secure Infrastructure as Code AWS customer architecture. These architectures are configured to converge across common security frameworks through the use of security as code practices from both AWS services and APN solutions.

Through this program, AWS Partners will be enabled to help customers, partners, and Independent Solution Vendors (ISVs).



Accelerates security & compliance authorization process



Reduces cost & time (Average 18-24 months) - FedRAMP


Provides reusable artifacts including guidance, templates, tools, and pre-built templates for APN Solutions


Builds & Optimizes

Builds and Optimizes DevOps, SecOps, Continuous Integration/Continuous Delivery (CI/CD), Continuous Risk Treatment (CRT) strategies



Develops proven Techniques using AWS Security Automation and Orchestration (SAO) methodology

The AWS Security Automation and Orchestration (SAO) Methodology

Continuous risk treatments (CRT)

CRT is a process and technology approached which is designed to detect, maintain and correct security, compliance and risks through the use of security “Guard Rails." For example, on AWS Security Hub you can run automated, continuous account-level configuration and compliance checks based on industry standards and best practices. Additionally, customers can deploy a standardized architecture from the CIS AWS Foundations Benchmark from Center for Internet Security (CIS) which deploys a set of security configuration best practices for hardening AWS accounts, and provides continuous monitoring capabilities for these security configurations.

DevOps Routines

Configure and assimilate DevOps routines (e.g. continuous integration (CI) and continuous delivery (CD)) into a secure AWS Cloud environment. AWS Partners help you use automation so you can build faster and more efficiently. Using AWS services, you can automate manual tasks or processes such as deployments, development and test workflows, container management, and configuration management. AWS provides services that help you practice DevOps at your company and that are built first for use with AWS. These tools automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps.

AWS supports a large ecosystem of partners which integrate with and extend AWS services. Use your preferred third-party and open source tools with AWS to build an end-to-end solution.

Meet Common Security Frameworks

AWS Config Rules enables you to implement security policies as code for your organization and evaluate configuration changes to AWS resources against these policies. You can use Config rules to audit your use of AWS resources for compliance with external compliance frameworks such as CIS AWS Foundations Benchmark and with your internal security policies related to the US Health Insurance Portability and Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and other regimes. Using Config, you can automate assessment of your resource configurations and resource changes to ensure continuous compliance and self-governance across your AWS infrastructure.

AWS Config, AWS CloudTrail and Amazon CloudWatch work together to continuously track, audit and assess the overall compliance of your AWS resource configurations with your organization’s policies and guidelines. Data from AWS Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses needed to meet common security frameworks and many others across the globe.

Benefits of ATO on AWS

The ATO on AWS program reduces the time and cost associated with achieving compliance certifications and authorizations while enabling a capability to continuously develop, integrate, and monitor a solution throughout its lifecycle. The program is a partner-driven process which includes training, tools, pre-built CloudFormation templates, control implementation details, and pre-built policy/procedure artifacts.

Additionally, customers are able to access direct engagement and guidance from AWS compliance specialists, Solutions Architects and support from APN Consulting and Technology Partners who leverage the AWS Security Automation and Orchestration (SAO) methodology and ATO on AWS program capabilities, such as:

Joint partner programs

We will support AWS Partners in the development and delivery of programs that add value to ATO on AWS by providing more options and unique capabilities to ISVs.


Once ISVs achieve their ATO, we will jointly develop and execute a marketing plan to raise awareness and educate customers about the solution. Solutions will be published and marketed on the ATO on AWS landing page, and have the option of publication of a written or video case study/testimonial.

Increased Visibility

ATO on AWS Partners have increased visibility to AWS customers by showcasing on ATO on AWS partner pages and surfacing in the Partner Solutions Finder.

ATO on AWS Badge

Use of Authority to Operate on AWS Badge to be leveraged on AWS Partner marketing materials. 

Getting started

We are actively seeking more AWS Partners to continue to expand this community and the resources available to customers in regulatory markets. If you are interested in joining us, please contact

In order to apply for the ATO on AWS Program, AWS Partners must meet the following critiera: 

  • Satisfy APN Tier Requirements

    In order to apply for the Authority to Operate on AWS Program, AWS Partners must meet APN Select Tier requirements.

    See Select Tier Consulting Partner Requirements | See Select Tier Technology Partner Requirements

    Follow the steps below to ensure your firm's Partner Scorecard is up to date and to apply for your APN Upgrade.

    APN Tier (Select, Advanced or Premier): Once your Partner Scorecard is up to date, apply to upgrade your firm’s APN membership, follow the steps below:

    Step #1: Log in to AWS Partner Central 
    Step #2: Click on "View Partner Scorecard" from left navigation
    Step #3: Submit AWS Partner compliance details
    Step #4: Click "Apply to Upgrade"

  • Meet Authority to Operate on AWS Requirements

    Download Validation Checklist: Review the requirements for the Authority to Operate on AWS Program with the links below. Before you apply, make sure your firm meets all requirements listed on the Validation Checklist.

    Consulting Partner Validation Checklist | Technology Partner Validation Checklist 

    AWS Customer References: The Authority to Operate on AWS requires two (2) AWS Customer References. You will be expected to submit Customer References and project details in the application. For required public AWS Customer References, you will need to submit a public case study, whitepaper, or blog post that details your work on AWS with the customer.

    Member of the AWS Public Sector Partner Program: In order to be eligible for the ATO on AWS Program, AWS Partners must be a member of the AWS Public Sector Partner Program. This program enables AWS Partners to accelerate their business growth on AWS through alignment with public sector sales, marketing, and bid teams. 

  • Apply for ATO on AWS

    You may submit your application along with required attachments through your Partner Central portal.

ATO on AWS Partners

See all the Partners >>